b'U.S. DEPARTMENT OF COMMERCE\n          Office of Inspector General\n\n\n\n\n    Bureau of Industry and Security\n\n           FY 2009 FISMA Assessment of\n            Bureau Export Control Cyber\n                Infrastructure, Version 2\n                              (BECCI-2)\n\n  Draft Inspection Report No. OSE-19575/September 2009\n\n\n\n\n                              Office of Audit and Evaluation\n\x0c                                                       UNITED STATES DEPARTMENT OF COMMERCE\n                                                       Office of Inspector General\n                                                       Washington, D.C. 20230\n\n\n\n\nSeptember 30, 2009\n\nMEMORANDUM FOR: Daniel O. Hill\n                Acting Under Secretary for Industry and Security and\n                   Deputy Under Secretary for Industry and Security\n\n\n\n\nFROM:                        Allen Crawley\n                                              ot&C~\n                                                  ~\n                             Assistant Inspector General\n                                for Systems Acquisition and IT Security\n\nSUBJECT:                     Bureau of Industry and Security\n                             FY 2009 FISMA Bureau Export Control Cyber\n                             Infrastructure, Version 2 (BECCI-2)\n                             Final Inspection Report No. OSE-19575\n\nThis report presents the results of our Federal Information Security Management Act\n(FISMA) review ofBIS\' certification and accreditation of the Bureau Export Control\nCyber Infrastructure, Version 2 (BECCI-2).\n\nWe found that BIS\' certification and accreditation ofBECCI-2 did not meet Department\nand FISMA requirements. We identified deficiencies with security planning, a lack of\ndefined configuration settings prior to the security certification, and an incomplete\nsecurity control assessment. In addition, the authorizing official\'s accreditation decision\ndid not comply with Department and BIS policy, and as a result, additional oversight of\nthe system may have been inappropriately avoided. We also found that reporting\nprocedures required by Department policy were not followed.\n\nOIG\'s own assessment ofBECCI-2 controls found vulnerabilities re uirin\n\n\n\n\nIn its response to our draft report, BIS did not dispute our findings but did not specifically\nindicate whether it agreed with our recommendations. After receiving BIS\' s response, I\nspoke with BIS\' acting chief information officer, who stated that BIS agreed with our\nfindings and recommendations. BIS\' response is included in its entirety as appendix C.\n\x0cWe request that you provide us with an action plan describing the actions you have taken\nor plan to take in response to our recommendations within 60 calendar days of the date of\nthis report. A plan of action and milestones should be used to communicate the plan as\nrequired by FISMA.\n\nWe appreciate the cooperation and courtesies extended to us by your staff during our\nevaluation. If you would like to discuss any of the issues raised in this report, please call\nme at (202) 482-1855.\n\n\n\n\nAttachment\n\ncc:\t   Suzanne lEIding, chief information officer, U.S. Department of Commerce\n       Eddie Donnell, acting chief information officer, BIS\n       Raushi Conrad, director, System and Security Operations, BIS\n\x0c                      OIG FY 2009 FISMA Assessment\n\n\nListing of Abbreviated Terms and Acronyms\n\nAAA           Authentication, Authorization, and Accounting       feature)\nACL           Access Control List\nATO           Authorization to Operate\nBECCI-2       Bureau Export Control Cyber Infrastructure, Version 2\nBIS           Bureau of Industry and Security\nC&A           Certification and Accreditation\nCIO           Chief Information Officer\nCIS           Center for Internet Security\nCSAM          Cyber Security Assessment and Management\nDISA          Defense Information Systems Agency\nDoD           Department of Defense\nECASS-R       Export Control Automated Support System Redesign\n\n\nFIPS          Federal Information Processing Standards\nFISMA         Federal Information Security Management Act of 2002\nIATO          Interim Authorization to Operate\nIMS-R         Investigative Management System - Redesign\nIT            Information Technology\nITSO          Information Technology Security Officer\n\n\nNIST          National Institute of Standards and Technology\nNSA           National Security Agency\nNTP           Network Time Protocol\nOCIO          Office of the Chief Information Officer\nOIG           Office of Inspector General\nOITPP         Office of IT Policy and Planning\nPIA           Privacy Impact Assessment\nPOA&M         Plan of Action and Milestones\n\n\nSOP           Standard Operating Procedures\nSSP           System Security Plan\nUPI           Unique Project Identifier\n\n\n\n\n                                    Page 1\n\n\x0c                               OIG FY 2009 FISMA Assessment\n\n\n\n\nSynopsis of Findings\n\n  \xe2\x80\xa2    Key security planning activities necessary for certification and accreditation were not\n       performed.\n\n  \xe2\x80\xa2    Secure configuration settings were not defined for information technology (IT)\n       products prior to the security control assessment.\n\n  \xe2\x80\xa2    Security control assessment was not adequate for a                system.\n\n  \xe2\x80\xa2    Authorizing official\xe2\x80\x99s accreditation decision violated Department and Bureau of\n       Industry and Security (BIS) IT security policy and Federal Information Security\n       Management Act of 2002 (FISMA) guidance.\n\n  \xe2\x80\xa2    Reporting procedures required by Department IT policies were not followed.\n\n  \xe2\x80\xa2    OIG control assessment found vulnerabilities requiring remediation.\n\nConclusion\n\n The certification and accreditation of the Bureau Export Control Cyber Infrastructure,\n Version 2 (BECCI-2) did not meet Department and FISMA requirements for a\n system. Security planning deficiencies, in particular, the lack of defined security\n requirements, undermined the certification team\xe2\x80\x99s ability to assess controls accurately and\n completely. Without defined security requirements, the certification team was left to judge\n controls against best practice standards rather than those that are customized to the needs\n of the system. This was most evident with the Configuration Settings (CM-6) control where\n no secure settings had been defined and documented for IT products, although BIS has\n since made progress in this area.\n\n In many cases, necessary testing was not performed and control assessments consisted of\n interviews and examination of incomplete documentation. Many IT products were not\n assessed because their existence was unknown to the certification team in time to\n adequately prepare assessment procedures.\n\n The certification team asserted its penetration test demonstrated the capability of BECCI-2\n defenses. However, we remain concerned with BIS\xe2\x80\x99\n\n\n\n While budget constraints led BIS to focus its resources in some areas at the expense of\n others, FISMA requires the depth and rigor of security planning and the intensity of security\n control assessments be scaled to BECCI-2\xe2\x80\x99s\n\n\n\n\n                                           Page 2\n\x0c                                   OIG FY 2009 FISMA Assessment\n\nSummary of BIS Response\n\nIn its response to our draft report, BIS did not dispute our findings but did not specifically indicate\nwhether it agreed with our recommendations. BIS stated that in FY 2010 it plans to have a\ncomplete and approved certification and accreditation for all its systems. BIS also stated it has\nbegun efforts to improve certification and accreditation documentation, IT workforce skills, and\noverall FISMA responsibilities.\n\nBIS\xe2\x80\x99 response is included in its entirety as appendix C of this report.\n\nOIG Comments\n\nAfter receiving BIS\xe2\x80\x99 response, OIG\xe2\x80\x99s assistant inspector general for systems acquisition and IT\nsecurity spoke with BIS\xe2\x80\x99 acting chief information officer, who stated that BIS agreed with our\nfindings and recommendations.\n\n\n\n\n                                                Page 3\n\x0c                                OIG FY 2009 FISMA Assessment\n\n\n\nIntroduction\n BECCI-2 is the production version general support system that was implemented as part of\n BIS\xe2\x80\x99 Export Control Automated Support System Redesign (ECASS-R). BECCI-2 is part of\n an effort that began in 2006 to implement an infrastructure designed to segregate\n applications according to the categorization of information stored, processed, and\n transmitted.\n\n The system is intended to host BIS\xe2\x80\x99 major applications that include\n\n\n\n\n The system consists of network components, security infrastructure, storage and system\n administration software and hardware components, servers, and workstations. The system\n includes data centers in                                 , and additional components in the\n                                                . Redundant connections to the data centers\n exist via the                                              . There are also field offices\n located throughout the United States that include network components and workstations for\n major application users.\n\n Thus far, and for the duration of our evaluation, only one major application is operating on\n the BECCI-2 infrastructure; this application, the Investigative Management System-\n Redesign (IMS-R), is separately certified and accredited and not part of our review.\n\nCertification and Accreditation (C&A) Timeline and BIS\xe2\x80\x99 Constraints\n\n BECCI-2\xe2\x80\x99s security certification occurred during August-September 2008, and the system\n was authorized to operate on October 3, 2008. In a memo submitted with the C&A\n package, BIS told us that\n\n       Given the severe BIS 2008 and 2009 budget constraints, BIS made a\n       conscious decision, with the cognizance of the Under Secretary, Deputy\n       Under Secretary, Department CIO, Department Deputy Secretary, and the\n       full Department IT Review Board, to focus its very scarce resources on\n       technical controls as opposed to documentation.\n\n The memo also indicated that BIS\xe2\x80\x99 executive management considered delaying BECCI-2\xe2\x80\x99s\n deployment until securing \xe2\x80\x9cadditional funding to improve its documentation and address all\xe2\x80\x9d\n of the certification team\xe2\x80\x99s findings. However, a previous                             on the\n               made the deployment of IMS-R onto BECCI-2 infrastructure \xe2\x80\x9ccritical.\xe2\x80\x9d And BIS\n indicated, \xe2\x80\x9cConsideration of the design, [sic] is a driver (in addition to its technical controls\n testing results) for the independent\xe2\x80\xa6assessment of the system as secure.\xe2\x80\x9d\n\n The authorizing official\xe2\x80\x99s accreditation decision letter, while granting a \xe2\x80\x9cfull\xe2\x80\x9c authorization to\n operate (ATO), placed restrictions on system operation by requiring the system owner and\n staff to mitigate high- and moderate-risk vulnerabilities within 180 days, or the authorization\n to operate would be rescinded. On April 1, 2009, the system owner requested, and the\n authorizing official granted, a 6-month extension of the ATO in order to complete the\n mitigation of vulnerabilities.\n\n\n\n\n                                             Page 4\n\x0c                                    OIG FY 2009 FISMA Assessment\n\nFindings and Recommendations\n\n    1. Key Security Planning Activities Necessary for Certification and\n       Accreditation Were Not Performed\n    Background: Department policy requires operating units to follow the C&A process as\n    detailed in NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal\n    Information Systems. NIST SP 800-37 outlines a four-phased1 process to ensure \xe2\x80\x9cagency\n    officials have the most complete, accurate, and trustworthy information possible on the\n    security status of information systems.\xe2\x80\x9d The initiation phase includes security planning\n    activities, which provide a basis for the assessment of security controls in the security\n    certification phase.\n\n     \xe2\x80\xa2    The system\xe2\x80\x99s accreditation boundary was not defined prior to the security certification\n          phase.\n            o The certification team was not provided a complete listing of the system\xe2\x80\x99s\n                hardware and software components, required by Department policy, which would\n                fully describe the system\xe2\x80\x99s accreditation boundary.\n                  \xc2\x83 This lack of information hampered the security control assessment (see\n                       finding 3).\n            o The initiation phase in NIST SP 800-37 calls for the system owner to confirm that\n                the system has been fully described and documented before beginning the\n                security certification phase.\n\n     \xe2\x80\xa2    The system security plan was incomplete and did not provide an adequate basis for the\n          security certification.\n                                 2\n            o Draft versions of the security plan given to the certification team were missing\n                sufficient detail to permit analysis and testing of controls.\n                   \xc2\x83\n\n                                                                                     ).\xe2\x80\x9d This level\n                      of assurance was not evident in the security plan and related system\n                      documentation.\n                        \xe2\x80\xa2                         technical controls descriptions we examined\n                            were inadequate in the security plans BIS provided to the certification\n                            team for its control assessment. (This includes information in the\n                            \xe2\x80\x9cDetailed Network and Security Infrastructure Design\xe2\x80\x9d document that\n                            the certification team referenced in its assessment results.)\n\n\n\n\n1\n  The four phases of the C&A process are: initiation, security certification, security accreditation, \n\nand continuous monitoring.\n\n2\n  The certification team\xe2\x80\x99s spreadsheet of assessment results references security plan versions\n\n0.2, 0.3, and 0.4. We reviewed draft Versions 0.3 and 0.4 and BIS-approved Versions 1.0 and\n\n1.5.\n3\n  From NIST SP 800-53 Revision 2, Recommended Security Controls for Federal Information\nSystems, E-1-2\n                                                Page 5\n\x0c                                   OIG FY 2009 FISMA Assessment\n\n\n           o\t The certification team told us that the lack of information in the plan precluded\n              testing many controls. In its security assessment report, the certification team\n              said, \xe2\x80\x9cThe [system security plan] is still in draft form during conduct of the\n              [security control assessment] and test development. It contains references to\n              documents that are unknown to the testers, or currently do not exist.\xe2\x80\x9d\n                \xc2\x83\t The security assessment report also noted, \xe2\x80\x9cThe primary reason for most\n                     [control] failures was material weakness of policy, procedures, plans, and\n                     records,\xe2\x80\x9d indicating, \xe2\x80\x9cThis is an administrative corrective action that\n                     impacts technical controls [emphasis added].\xe2\x80\x9d\n\n    \xe2\x80\xa2\t   The approved system security plan (Version 1.0) was not completed until after most of\n         the security control assessment and was not provided to the certification team.\n           o\t The security plan was approved by the system owner, BIS\xe2\x80\x99 then-chief information\n               officer (CIO), and the information technology security officer (ITSO) on August\n               29, 2008, and by the authorizing official on September 5, 2008.\n           o\t The certification team assessed controls between August 18, 2008, and\n               September 15, 2008, and told us BIS did not provide the approved security plan.\n                 \xc2\x83\t Even if it had, we found Version 1.0 to have the same deficiencies as the\n                      draft plans. BIS has improved its security plan since the accreditation with\n                      Version 1.5, which provides more complete information on control\n                      implementations.\n           o\t NIST SP 800-37 calls the acceptance of the security plan by the authorizing\n               official and senior agency information security officer \xe2\x80\x9can important milestone\xe2\x80\x9d\n               that occurs \xe2\x80\x9cprior to conducting an assessment of controls.\xe2\x80\x9d\n\n    \xe2\x80\xa2\t\n                                    4\n         Common security controls were not clearly defined.\n           o\t The initial security plan identified 35 security controls as common controls\n              (controls the system inherits from others), or having partially common control\n              elements, because they were controls supporting several IT systems including\n              BECCI-2.\n           o\t The certification team noted, in the security assessment report, some uncertainty\n              about \xe2\x80\x9cinheritance from the enterprise\xe2\x80\x9d and whether the system owner has\n              responsibility for some controls.\n           o\t After certification and accreditation was completed, BIS asserted that BECCI-2\n              does not have common controls that it inherits from other providers, but it is\n              providing controls for all other systems residing on its infrastructure.\n                \xc2\x83\t This change illustrates the fact that several months after certification testing\n                     was completed, there was still uncertainty as to who was responsible for\n                     security controls in BECCI-2.\n\n\n\n\n4\n  Common security controls\xe2\x80\x99 development, implementation, and assessment are assigned to\nresponsible organization officials or elements other than system owners whose systems will\nimplement or use the controls. Common controls are intended to facilitate reuse across systems\nwhere they will be used (see NIST SP 800-53, Rev. 2, 9-10).\n                                               Page 6\n\x0c                               OIG FY 2009 FISMA Assessment\n\n\nRecommendations\n\nBIS should\n\n1.1 provide a full listing of hardware and software components in advance of future control\n    assessments so that assessors may prepare for testing of all IT products where controls\n    are implemented;\n1.2 include in the system security plan and related documents sufficient detail to permit\n    analysis and testing of controls;\n1.3 ensure that updated security plans are accepted by the system owner, authorizing official,\n    and BIS\xe2\x80\x99 ITSO in advance of future control assessments; and\n1.4 in the event that common controls are employed, update the plan to provide sufficient\n    clarity as to who is responsible for their development, implementation, and assessment.\n\n\n\n\n                                           Page 7\n\x0c                                 OIG FY 2009 FISMA Assessment\n\n\n\n2. Secure Configuration Settings Were Not Defined for IT Products Prior to\n   the Security Control Assessment\n Background: The Department\xe2\x80\x99s IT security policy and NIST SP 800-53 require establishing\n and assessing secure configuration settings for IT products, which include operating systems\n for system components (such as servers, desktops, laptops, routers, and switches) and\n applications (such as e-mail, Web, virtual private network (VPN), firewall, intrusion detection,\n database, and antivirus). FISMA and OMB guidance also highlight the importance of secure\n configuration settings. Implementing and maintaining secure configuration settings is one of\n the most effective ways of negating threats.\n\n  \xe2\x80\xa2    Secure configuration settings were not defined prior to the assessment of controls by\n       the certification team.\n         o The certification team indicated the Configuration Settings (CM-6) control was not\n             tested on system components \xe2\x80\x9cdue to time constraints\xe2\x80\x9d and said, \xe2\x80\x9cThis test\n             should be completed during the next assessment.\xe2\x80\x9d\n         o The certification team did compare configuration settings of some IT products\n             against Defense Information Systems Agency (DISA)-defined settings or industry\n             best practices.\n                \xc2\x83 Settings from\n                     were examined in this manner.\n                \xc2\x83 While the scanning revealed deficiencies, the certification team could not\n                     validate settings based on the specific operational needs of this\n                             system because BIS had not defined its own settings. Therefore,\n                     the risk presented by the deficiencies was not clear.\n\n  \xe2\x80\xa2    Currently defined configuration settings for IT products need improvement.\n\n       BIS has now defined configuration settings for IT products on BECCI-2. Below, we\n       present deficiencies that should be addressed. (The NIST SP 800-53 assurance\n       requirements for a              system like BECCI-2 call for\n                            .)\n\n       Department IT security policy requires operating units to implement the methodology\n       described in NIST SP 800-70, Security Configuration Checklists Program for IT\n       Products \xe2\x80\x93 Guidance for Checklists Users and Developers. NIST SP 800-70 calls for\n       organizations to tailor industry standards or checklists (benchmarks) to reflect local\n       rules, regulations, and mandates. Any changes to the standard checklist or other\n       industry guide should be documented as part of the organization\xe2\x80\x99s defined configuration\n       settings. BIS has not documented some of its configuration settings according to these\n       requirements.\n\n         o   The file defining BIS\xe2\x80\x99                         standard secure configuration does\n             not explain deviations from benchmark settings.\n               \xc2\x83 BIS used \xe2\x80\x9c                             Security Guide and the [Center for\n                    Internet Security (CIS)]                         \xe2\x80\xa6 Consensus Security\n                    Settings \xe2\x80\xa6 as the basis for configuring the systems and customized the\n                    settings \xe2\x80\xa6\xe2\x80\x9d\n                      \xe2\x80\xa2 A review of the file defining BIS\xe2\x80\x99 custom settings found that the\n                           rationale for modifications to benchmark settings was not explained.\n\n\n\n\n                                              Page 8\n\x0c                                OIG FY 2009 FISMA Assessment\n\n\n\n              \xc2\x83\t   OIG identified            vulnerabilities through DISA-based testing (Gold \n\n                   Disk). BIS indicated that these were not vulnerabilities stating, \xe2\x80\x9cIt is a \n\n                   compliance issue as relates to Gold Disk standards. We do not set our \n\n                   [configuration settings] to adhere to Gold Disk standards. (And there is \n\n                   nothing in the [system security plan] that contradicts the settings used on \n\n                   these servers.)\xe2\x80\x9d \n\n                     \xe2\x80\xa2\t However, while BIS may not adhere to Gold Disk standards in its \n\n                          standard secure configuration, the Gold Disk vulnerabilities, \n\n                          according to DISA, have a high potential of giving access to an \n\n                          intruder.\n\n                     \xe2\x80\xa2\t In addition, there is overlap between DISA\xe2\x80\x99s Gold Disk and BIS\xe2\x80\x99\n                          defined settings since many of DISA\xe2\x80\x99s recommended settings are\n                          derived from settings recommended in the benchmarks used by BIS.\n                               o\t Of the seven vulnerabilities from our DISA-based testing that\n                                   we discussed with BIS, four are addressed in the\n                                                 Security Guide, which BIS cites as a benchmark\n                                   (see table 5 for details).\n\n        o   BIS\xe2\x80\x99 secure configuration settings for      devices need improvement.\n              \xc2\x83 BIS\xe2\x80\x99 standard secure configuration for          devices is based on CIS and\n                  NSA benchmarks. The BIS standard secure configuration depicts the\n                  BECCI-2 configuration settings in relation to CIS\xe2\x80\x99 recommendations.\n              \xc2\x83\t Not all benchmark settings are addressed in BIS\xe2\x80\x99          standard secure\n                  configuration. Notably:\n                    \xe2\x80\xa2\t Authentication, authorization, and accounting (AAA) security\n                        mechanisms \xe2\x80\x93 The BIS standard secure configuration addresses\n                        only authentication. The benchmarks include recommendations for\n                        configuring authorization and accounting mechanisms.\n                    \xe2\x80\xa2\n\n\n                     \xe2\x80\xa2\n\n\n\n              \xc2\x83\t   Some BIS settings are not accurately described. For example:\n                    \xe2\x80\xa2\n\n\n\n\nRecommendation\n\n2.1 BIS should continue to improve its defined configuration settings in accordance with\n    guidance in NIST SP 800-70 (as Department policy requires).\n\n\n\n\n                                            Page 9\n\x0c                               OIG FY 2009 FISMA Assessment\n\n\n\n3. Security Control Assessment Was Not Adequate\n\n\nBIS\xe2\x80\x99 certification team assessed controls by interviewing system administrators, examining\navailable documentation, scanning network segments to determine the composition and\nscope of the system, scanning              and        hosts with both network and application\ntools and DISA\xe2\x80\x99s scripts, and comparing configurations collected from          devices against\n\xe2\x80\x9cbest practice\xe2\x80\x9d recommended settings. The certification team told us its overall assessment\nof the security status of the system relied heavily on a system penetration test it conducted.\n\nThe certification team documented the assessment results of NIST SP 800-53 controls in a\nspreadsheet and other documents that record the assessment objectives, methods (i.e.,\ninterview, examine, or test),objects (e.g., a person, document, or class of components), and\nthe \xe2\x80\x9cactual results.\xe2\x80\x9d In addition, the team prepared a preliminary plan of action and\nmilestones (POA&M) that included vulnerabilities identified by technical testing (scans,\nscripts, etc.) and the corresponding NIST SP 800-53 controls. The certification team told us\nthat its testing was the first phase of what it understood to be a two-phased approach to\nassessing the system\xe2\x80\x99s controls. However, the team was not called back for more testing.\n\n \xe2\x80\xa2    Various IT products that implement security controls were not assessed.\n        o The certification team told us that absent a complete listing of hardware and\n            installed software, it was not able to fully prepare assessment procedures for\n            various components they eventually learned were part of the system. Significant\n            IT products that were not assessed include:\n              \xc2\x83 application servers such as                                         ,\n                                        , and                             ;\n              \xc2\x83\n              \xc2\x83 operating systems:\n                                     ; and\n              \xc2\x83                                                  (see OIG assessment in\n                   finding 6).\n\n \xe2\x80\xa2    Fifty controls were not tested \xe2\x80\x9cdue to time constraints\xe2\x80\x9d according to the certification\n      team\xe2\x80\x99s documented results (see table 1).\n         o In each case, the certification team stated, "This test should be completed\n             during the next assessment.\xe2\x80\x9d\n         o The \xe2\x80\x9ctest\xe2\x80\x9d method for assessing controls is one that is commensurate with\n             BECCI-2\xe2\x80\x99s               security categorization according to NIST SP 800-53A,\n             Guide for Assessing the Security Controls in Federal Information Systems.\n               \xc2\x83 However, the certification team relied on interviewing and examination\n                    methods for assessing the effectiveness of these controls.\n\n \xe2\x80\xa2    Assessments suffered from inadequate or inaccurate information resulting from BIS\xe2\x80\x99\n      lack of security planning (see table 2).\n\n \xe2\x80\xa2    In other cases, assessment procedures were not performed sufficiently to meet the\n      assessment objectives (see table 3).\n\n\n\n\n                                           Page 10\n\x0c                               OIG FY 2009 FISMA Assessment\n\n\nRecommendations\n\nBIS should\n\n3.1 assess IT products not evaluated for certification and accreditation;\n\n3.2 complete assessments of controls not tested by the certification team due to time\n    constraints;\n\n3.3 ensure that control assessors are provided sufficient information resulting from improved\n    BIS security planning processes (see finding 1); and\n\n3.4 employ assessment procedures that are sufficient to meet the assessment objectives.\n\n\n\n\n                                           Page 11\n\x0c                                   OIG FY 2009 FISMA Assessment\n\n\n4. Authorizing Official\xe2\x80\x99s Accreditation Decision Violated Department\n   and BIS IT Security Policy and FISMA Guidance\n\n    The deputy under secretary for Industry and Security granted a \xe2\x80\x9cfull\xe2\x80\x9d ATO after reviewing\n    the BECCI-2 security accreditation package. However, the authorization letter imposed\n    restrictions that (1) \xe2\x80\x9cBECCI-2 must mitigate all [high- and moderate-risk security control]\n    deficiencies within 180 calendar-days from the issuance of this Letter of ATO, and confirm\n    that the mitigations have been completed in writing to me, or this letter is withdrawn\n    [emphasis added],\xe2\x80\x9d and (2) the status of low-risk security deficiencies be reported to him\n    within 180 days.\n\n     \xe2\x80\xa2   Although the system is reported in the Department\xe2\x80\x99s system inventory with an ATO,\n         the restrictions included with the decision equate to an interim authorization to\n         operate (IATO) as defined in the Department\xe2\x80\x99s IT security policy and NIST SP 800-\n         37.\n           o An IATO \xe2\x80\x9cprovides authorization to operate the information system under\n               specific terms and conditions and acknowledges greater risk to the agency for\n                                               5\n               a specified period of time.\xe2\x80\x9d\n           o Notably, the certification team recommended an IATO based on its assessment\n               findings and an acknowledgement of limitations in its own testing.\n           o According to the Department\xe2\x80\x99s policy, in an ATO, risk is deemed fully\n               acceptable and \xe2\x80\x9cAlthough not affecting the security accreditation decision\n               [emphasis added], the [authorizing official] may recommend specific actions be\n               taken by the system owner to reduce or eliminate identified vulnerabilities,\n               where it is cost effective to do so.\xe2\x80\x9d\n                  \xc2\x83 However, the restrictions in BECCI-2\xe2\x80\x99s authorization letter were\n                       conditions affecting the accreditation decision\xe2\x80\x94high- and moderate-risk\n                       deficiencies in controls had to be remediated in 180 days or \xe2\x80\x9cthis letter is\n                       withdrawn.\xe2\x80\x9d\n           o BIS\xe2\x80\x99 actions post-ATO have reaffirmed the actual status as an IATO.\n                  \xc2\x83 On April 1, 2009, the BECCI-2 system owner requested \xe2\x80\x9can extension to\n                       the Authorization to Operate\xe2\x80\x9d for 6 months in order to complete\n                       remediation of the vulnerabilities. The memo indicated that all high-risk\n                       vulnerabilities had been \xe2\x80\x9cfully addressed.\xe2\x80\x9d\n                         \xe2\x80\xa2 However, some high-risk deficiencies were not remediated until\n                              April 6, 2009, after we informed BIS that high-risk deficiencies\n                              described in the executive summary of the security assessment\n                              report had not been addressed.\n                                  o Moderate-risk deficiencies were not remediated in the 180\n                                       days following the ATO.\n                                  o Authorizing official\xe2\x80\x99s granting of the 6-month extension\n                                       illustrates the perceived \xe2\x80\x9cgreater risk to the agency for a\n                                       specified period of time\xe2\x80\x9d that is consistent with an IATO as\n                                       defined under the Department\xe2\x80\x99s policy and FISMA\xe2\x80\x99s\n                                       guidance.\n\n\n\n\n5\n See U.S. Department of Commerce, IT Security Program Policy and Minimum Implementation\nStandards, Revised June 30, 2005, Section 6.7.1, 59.\n\n                                               Page 12\n\x0c                                      OIG FY 2009 FISMA Assessment\n\n\n\n      \xe2\x80\xa2\t   BIS policy required a Denial of ATO and does not permit an IATO because such a\n           decision would potentially result in additional oversight by OMB. This inappropriate\n           rationale is stated in BIS IT policy:\n\n                 Although conceptually there is a third potential accreditation\n                 decision, Interim Authorization to Operate (IATO), this is not\n                 acceptable as a matter of BIS policy because this status is not\n                 acceptable to OMB [emphasis added]. OMB has determined that\n                 an information system is not accredited during the period of limited\n                 authorization to operate, and [does] not satisfy criteria for a well-\n                 managed investment. Investments for systems with an IATO\n                 status are historically assigned to the OMB watch list\n                 [emphasis added].\n\n                 Therefore, all BIS systems which might be considered as IATO\n                 systems are instead assigned to the Denial of ATO category\n                 [emphasis added]\xe2\x80\xa66\n\n             o\t While systems operating under an IATO are not counted as accredited under\n                the agency\xe2\x80\x99s FISMA scorecard, an IATO is an option under NIST SP 800-37.\n\n      \xe2\x80\xa2\t   Additional oversight by the Department and OMB may have been inappropriately\n\n           avoided. \n\n             o\t A by-product of BIS granting an ATO (rather than an IATO or Denial of ATO) is\n                  that the Department and OMB were precluded from identifying this system as\n                  one that potentially requires greater attention from senior management.\n                    \xc2\x83\t An ATO \xe2\x80\x9cwith restrictions\xe2\x80\x9d is not separately reported; BECCI-2 is counted\n                         as an ATO in the Department\xe2\x80\x99s system inventory and FISMA\xe2\x80\x99s report to\n                         OMB.\n\n    Recommendations\n\n    BIS should\n\n    4.1 revise its policy for accreditation decisions to comply with Department policy and\n        FISMA; and\n\n    4.2 follow its (revised) policy for future accreditation decisions.\n\n\n\n\n6\n    Bureau of Industry and Security, November 2007. IT Security Program Policy, 52.\n\n                                                  Page 13\n\x0c                                  OIG FY 2009 FISMA Assessment\n\n\n5. Reporting Procedures Required by Department IT Policies Were Not\n   Followed\n\n    \xe2\x80\xa2   BIS did not identify any proposed deviations from the mandatory practices of the\n        Department\xe2\x80\x99s IT security policy and request a waiver(s) in writing through BIS\xe2\x80\x99 then-\n        CIO from the Department\xe2\x80\x99s IT security program manager as the policy required.7\n          o BIS indicated that it chose \xe2\x80\x9cto focus its very scarce resources on technical\n              controls as opposed to documentation,\xe2\x80\x9d but in doing so failed to comply with\n              mandatory practices of the Department\xe2\x80\x99s IT security policy (see finding 1).\n          o While BIS asserted the deviations in security planning were generally done\n              \xe2\x80\x9cwith the cognizance of\xe2\x80\x9d BIS and Department senior management, there was\n              no formal waiver request filed with and approved by the Department\xe2\x80\x99s IT\n              security program manager.\n                \xc2\x83 BIS\xe2\x80\x99 then-CIO told us that a waiver request had been drafted but was\n                     never submitted to the Department.\n\n    \xe2\x80\xa2   BIS did not submit BECCI-2\xe2\x80\x99s POA&M to the Department\xe2\x80\x99s OCIO for the first quarter\n        of FY09.\n           o As a result, the status of corrective actions for this system was not properly\n              communicated to the Department.\n           o POA&M items are now entered into cyber security assessment and\n              management tool (CSAM) and viewable by Department OCIO officials.\n\n    \xe2\x80\xa2   BIS did not submit the BECCI-2 privacy impact assessment (PIA) to the Department\xe2\x80\x99s\n        OCIO for review and approval.\n          o BIS\xe2\x80\x99 IT security officer told us BECCI-2 was exempted from this requirement\n              because BECCI-2 did not have a specific system of records notice.\n                \xc2\x83 However, the Department required operating units to submit all PIAs to\n                     the OCIO, whether or not there is a specific system of records notice, for\n                     review and approval to ensure compliance with the Department\xe2\x80\x99s IT\n                     privacy policy. The Department\xe2\x80\x99s current IT privacy policy, updated\n                     January 2009, now requires operating units to submit PIAs to the\n                     Director, Office of IT Policy and Planning (OITPP), to whom the\n                     Department\xe2\x80\x99s CIO has delegated the authority to review, approve, and\n                     publish PIAs.\n          o BECCI-2\xe2\x80\x99s PIA did not include information for two of the additional elements\n              required by the Department (but not by OMB).\n                \xc2\x83 Unique project identifier (UPI) from Exhibit 300 \xe2\x80\x93 The Department\xe2\x80\x99s IT\n                     privacy policy requires that PIAs include the UPI and clearly indicate the\n                     link between the system or information collection covered by the PIA and\n                     the related major information system described in OMB Exhibit 300,\n                     Capital Asset Plan and Business Case Summary.\n                \xc2\x83 Data Extract Log and Verify Requirement \xe2\x80\x93 the December 18, 2007,\n                     memorandum from the Department\xe2\x80\x99s CIO titled \xe2\x80\x9cData Extract Log and\n                     Verify Requirement,\xe2\x80\x9d requires operating units to document in PIAs how\n                     the log and verify requirement of OMB M-07-16, Safeguarding Against\n                     and Responding to the Breach of Personally Identifiable Information, has\n                     been implemented for the system.\n\n\n7\n  The Department\xe2\x80\x99s current IT security policy, revised in March 2009, no longer requires waivers\nto be submitted to the Department\xe2\x80\x99s IT security program manager. Instead, waiver requests are to\nbe submitted to the operating unit\xe2\x80\x99s CIO, while the Department\xe2\x80\x99s CIO has the discretion of\nelevating the waiver-approval process for issues that affect Department-wide security.\n\n                                             Page 14\n\x0c                                OIG FY 2009 FISMA Assessment\n\n\nRecommendations\n\nBIS should\n\n5.1 comply with the waiver process as outlined in the Department\xe2\x80\x99s IT security policy; and\n\n5.2 update the BECCI-2 privacy impact assessment to include all required elements and\n    submit it to the Director of OITPP in accordance with the Department\xe2\x80\x99s IT privacy policy.\n\n\n\n\n                                           Page 15\n\x0c                                    OIG FY 2009 FISMA Assessment\n\n\n\n6. OIG Control Assessment Found Vulnerabilities Requiring\n   Remediation\n\n    As part of OIG\xe2\x80\x99s FY09 FISMA evaluation of BECCI-2, we assessed a targeted set of system\n    components to determine if selected security controls are properly implemented on\n    applicable IT products. We tailored our procedures to the infrastructure\xe2\x80\x99s specific control\n    implementations.\n\n     \xe2\x80\xa2   OIG assessments identified several weaknesses in NIST SP 800-53 controls that\n         need to be addressed. These include the following:\n\n\n\n\n     \xe2\x80\xa2   Details for NIST SP 800-53 controls are listed in table 4.\n\n     \xe2\x80\xa2                           vulnerabilities identified by Gold Disk are listed in table 5.\n\n     \xe2\x80\xa2          improper settings are listed in table 6.\n\n     \xe2\x80\xa2          improper settings are listed in table 7.\n\n\n\n\n8\n\n\n\n\n                                                Page 16\n\x0c                               OIG FY 2009 FISMA Assessment\n\n\n\nRecommendation\n\n6.1 BIS should add the vulnerabilities we identified in tables 4-7 and the issue with\n    quarterly vulnerability scanning described above to the system\xe2\x80\x99s plan of action and\n    milestones, and remediate the vulnerabilities accordingly.\n\n\n\n\n                                           Page 17\n\x0c                                                       OIG FY 2009 FISMA Assessment\n\n\n\n\nTable 1. Controls Not Tested Due to Time Constraints\n\n\n\n\n                                                                 Page 18\n\n\x0c                                                   OIG FY 2009 FISMA Assessment\n\n\n\n\nTable 2. Assessments Hindered by Inadequate or Inaccurate Information\nControl                           Certification Team Assessment (Excerpts)        OIG Comments\n             Methods/Objects               [Results]\n\n\n\n\n                                                             Page 19\n\x0c                                                   OIG FY 2009 FISMA Assessment\n\n\n\n\nTable 2. Assessments Hindered by Inadequate or Inaccurate Information\nControl                           Certification Team Assessment (Excerpts)        OIG Comments\n             Methods/Objects               [Results]\n\n\n\n\n                                                             Page 20\n\x0c                                                   OIG FY 2009 FISMA Assessment\n\n\n\n\nTable 2. Assessments Hindered by Inadequate or Inaccurate Information\nControl                           Certification Team Assessment (Excerpts)        OIG Comments\n             Methods/Objects               [Results]\n\n\n\n\n                                                             Page 21\n\x0c                                                   OIG FY 2009 FISMA Assessment\n\n\n\n\nTable 3. Insufficient Assessment Procedures\n                               Certification Team Assessment (Excerpts)\nControl      Assessment            Method/Objects       Actual Results            Met?   Evidence   OIG Comments\n             Objective             [Procedure]\n\n\n\n\n                                                              Page 22\n\x0c                                                   OIG FY 2009 FISMA Assessment\n\n\n\n\nTable 3. Insufficient Assessment Procedures\n                               Certification Team Assessment (Excerpts)\nControl      Assessment            Method/Objects       Actual Results            Met?   Evidence   OIG Comments\n             Objective             [Procedure]\n\n\n\n\n                                                              Page 23\n\x0c                                                   OIG FY 2009 FISMA Assessment\n\n\n\n\nTable 3. Insufficient Assessment Procedures\n                               Certification Team Assessment (Excerpts)\nControl      Assessment            Method/Objects       Actual Results            Met?   Evidence   OIG Comments\n             Objective             [Procedure]\n\n\n\n\n                                                              Page 24\n\x0c                                                   OIG FY 2009 FISMA Assessment\n\n\n\n\nTable 3. Insufficient Assessment Procedures\n                               Certification Team Assessment (Excerpts)\nControl      Assessment            Method/Objects       Actual Results            Met?   Evidence   OIG Comments\n             Objective             [Procedure]\n\n\n\n\n                                                              Page 25\n\x0c                                                   OIG FY 2009 FISMA Assessment\n\n\n\n\nTable 3. Insufficient Assessment Procedures\n                               Certification Team Assessment (Excerpts)\nControl      Assessment            Method/Objects       Actual Results            Met?   Evidence   OIG Comments\n             Objective             [Procedure]\n\n\n\n\n                                                              Page 26\n\x0c                                               OIG FY 2009 FISMA Assessment\n\n\n\n\nTable 4. OIG Control Assessment Results\nSecurity          NIST SP 800-53 Requirement          OIG Assessment Results\nControl\n\n\n\n\n                                                         Page 27\n\x0c                                               OIG FY 2009 FISMA Assessment\n\n\n\n\nTable 4. OIG Control Assessment Results\nSecurity          NIST SP 800-53 Requirement          OIG Assessment Results\nControl\n\n\n\n\n                                                         Page 28\n\x0c                                               OIG FY 2009 FISMA Assessment\n\n\n\n\nTable 4. OIG Control Assessment Results\nSecurity          NIST SP 800-53 Requirement          OIG Assessment Results\nControl\n\n\n\n\n                                                         Page 29\n\x0c                                               OIG FY 2009 FISMA Assessment\n\n\n\n\nTable 4. OIG Control Assessment Results\nSecurity          NIST SP 800-53 Requirement          OIG Assessment Results\nControl\n\n\n\n\n                                                         Page 30\n\x0c                                               OIG FY 2009 FISMA Assessment\n\n\n\n\nTable 4. OIG Control Assessment Results\nSecurity          NIST SP 800-53 Requirement          OIG Assessment Results\nControl\n\n\n\n\n                                                         Page 31\n\x0c                                                   OIG FY 2009 FISMA Assessment\n\n\n\n\nTable 4. OIG Control Assessment Results\nSecurity Control      NIST SP 800-53 Requirement          OIG Assessment Results\n\n\n\n\n                                                             Page 32\n\x0c                                                     OIG FY 2009 FISMA Assessment\n\n\n\n\nTable 5           Vulnerabilities Identified by DISA\xe2\x80\x99s Gold Disk (OIG Control Assessment)\nVulnerability Description           BIS Assertion (Full Quotation)         OIG Comments\n\n\n\n\n                                                               Page 33\n\x0c                                                     OIG FY 2009 FISMA Assessment\n\n\n\n\nTable 5.          Vulnerabilities Identified by DISA\xe2\x80\x99s Gold Disk (OIG Control Assessment)\nVulnerability Description           BIS Assertion (Full Quotation)         OIG Comments\n\n\n\n\n                                                               Page 34\n\x0c                                                     OIG FY 2009 FISMA Assessment\n\n\n\n\nTable 5.          Vulnerabilities Identified by DISA\xe2\x80\x99s Gold Disk (OIG Control Assessment)\nVulnerability Description           BIS Assertion (Full Quotation)         OIG Comments\n\n\n\n\n                                                                                                               SSP implementation\n                                                                         description for access enforcement.\n\n\n\n\n                                                               Page 35\n\x0c                                                  OIG FY 2009 FISMA Assessment\n\n\n\n\nTable 6      Improper Configuration Settings (OIG Control Assessment)\n\n\n\n\n                                                                      \n\nRule Name\n                   Device               Instance        Total   OIG Comments\n\n\n\n\n                                                            Page 36\n\x0c                                                  OIG FY 2009 FISMA Assessment\n\n\n\n\nTable 6.     Improper Configuration Settings (OIG Control Assessment)\n\n\n\n\n                                                                       \n\nRule Name\n                   Device               Instance        Total    OIG Comments\n\n\n\n\n                                                            Page 37\n\n\x0c                                                  OIG FY 2009 FISMA Assessment\n\n\n\n\nTable 6.     Improper Configuration Settings (OIG Control Assessment)\n\n\n\n\n                                                                       \n\nRule Name\n                   Device               Instance        Total    OIG Comments\n\n\n\n\n                                                            Page 38\n\n\x0c                                                  OIG FY 2009 FISMA Assessment\n\n\n\n\nTable 7       Improper Configuration Settings (OIG Control Assessment)\nConfiguration Setting Requirement                                                BIS Host\nRule Id BIS/CIS Rule\n\n\n\n\n                                                            Page 39\n\n\x0c                                OIG FY 2009 FISMA Assessment\n\n\nAppendix A: Objectives, Scope, and Methodology\n\nTo meet the FY 2009 Federal Information Security Management Act of 2002 (FISMA)\nreporting requirements, we evaluated the BIS certification and accreditation for the Bureau\nExport Control Cyber Infrastructure, Version 2 (BECCI-2).\nSecurity certification and accreditation packages contain three elements, which form the basis\nof an authorizing official\xe2\x80\x99s decision to accredit a system:\n\n    \xe2\x80\xa2   The system security plan describes the system, the requirements for security\n        controls, and the details of how the requirements are being met. The security plan\n        provides a basis for assessing security controls and also includes other documents\n        such as the system risk assessment and contingency plan, per Department policy.\n    \xe2\x80\xa2   The security assessment report presents the results of the security assessment\n        and recommendations for correcting control deficiencies or mitigating identified\n        vulnerabilities. This report is prepared by the certification agent.\n    \xe2\x80\xa2   The plan of action & milestones (POA&M) is based on the results of the security\n        assessment. It documents actions taken or planned to address remaining\n        vulnerabilities in the system.\n\nThe Department\xe2\x80\x99s IT Security Program Policy and Minimum Implementation Standards\nrequires that C&A packages contain a certification documentation package of supporting\nevidence of the adequacy of the security assessment. Two important components of this\ndocumentation are\n\n    \xe2\x80\xa2   the certification test plan, which documents the scope and procedures for testing\n        (assessing) the system\xe2\x80\x99s ability to meet control requirements; and\n    \xe2\x80\xa2   the certification test results, which is the raw data collected during the assessment.\n\nTo evaluate the certification and accreditation, we reviewed all components of the C&A\npackage and interviewed BIS staff to clarify any apparent omissions or discrepancies in the\ndocumentation and gain further insight on the extent of the security assessment. We\nevaluated the security plan and assessment results for applicable security controls and will\ngive substantial weight to the evidence that supports the rigor of the security assessment\nwhen reporting our findings to OMB.\n\nIn addition, we performed our own assessment of a targeted selection of controls (see\nappendix B). We conducted our assessment using a subset of procedures from NIST SP 800-\n53A, which we tailored to BECCI-2\xe2\x80\x99s specific control implementations. We did not attempt to\nperform a complete assessment of each control; instead we chose to focus on specific\ntechnical and operational elements.\n\nWe assessed controls on key classes of IT components, choosing a targeted set of\ncomponents from each class that would allow for direct comparison with BIS\xe2\x80\x99 certification test\nresults. We assessed configuration settings on\n                                                                                 We looked\nat controls implemented on                   and network-addressable\n      We also assessed aspects of controls implemented by firewalls (specifically the rule\nsets)                                                ),\n                                                                                         We\nalso performed vulnerability scanning using Nessus.\n\n\n\n\n                                           Page 40\n\x0c                                 OIG FY 2009 FISMA Assessment\n\n\nOur assessment included the following activities:\n\n    \xe2\x80\xa2\t   extraction, examination, and verification of system configurations\n    \xe2\x80\xa2\t   execution of scripts and manual checklists\n    \xe2\x80\xa2\t   examination of system logs\n    \xe2\x80\xa2\t   review of account management procedures\n    \xe2\x80\xa2\t   vulnerability scanning of network-addressable components\n    \xe2\x80\xa2\t   examination/analysis of security plan descriptions, including related policy and\n         procedure documents\n    \xe2\x80\xa2\t   interviews of appropriate BIS personnel\n\nOur assessment was limited in scope and should not be interpreted as the comprehensive\nreview that a security certification for a          system would require. It gave us direct\nassurance of the status of select aspects of important system controls and provided\nmeaningful comparison to BIS\xe2\x80\x99 security certification.\n\nWe reviewed the BECCI-2 privacy impact assessment as part of privacy reporting\nrequirements included in our annual FISMA report to OMB.\n\nWe used the following review criteria:\n\n    \xe2\x80\xa2\t   Federal Information Security Management Act of 2002 (FISMA)\n    \xe2\x80\xa2\t   U.S. Department of Commerce IT Security Program Policy and Minimum \n\n         Implementation Standards, June 30, 2005 \n\n    \xe2\x80\xa2\t   NIST Federal Information Processing Standards (FIPS)\n             o\t Publication 199, Standards for Security Categorization of Federal Information\n                 and Information Systems\n             o\t Publication 200, Minimum Security Requirements for Federal Information and\n                 Information Systems\n    \xe2\x80\xa2\t   NIST Special Publications:\n             o\t 800-18, Guide for Developing Security Plans for Information Technology\n                 Systems\n             o\t 800-37, Guide for the Security Certification and Accreditation of Federal\n                 Information Systems\n             o\t 800-53, Recommended Security Controls for Federal Information Systems\n             o\t 800-53, A Guide for Assessing the Security Controls in Federal Information\n                 Systems\n             o\t 800-70, Security Configuration Checklists Program for IT Products\n             o\t 800-115, Technical Guide to Information Security Testing and Assessment\n\nWe conducted our evaluation in accordance with the Inspector General Act of 1978, as\namended, and the Quality Standards for Inspections (revised January 2005), issued by the\nPresident\xe2\x80\x99s Council on Integrity and Efficiency.\n\n\n\n\n                                            Page 41\n\x0c                            OIG FY 2009 FISMA Assessment\n\n\n\n\nAppendix B: NIST SP 800-53 Security Controls Assessed by OIG\n\n  \xe2\x80\xa2   AC-2 Account Management\n  \xe2\x80\xa2   AC-3 Access Enforcement\n  \xe2\x80\xa2   AC-7 Unsuccessful Login Attempts\n  \xe2\x80\xa2   AC-8 System Use Notification\n  \xe2\x80\xa2   AC-11 Session Lock\n  \xe2\x80\xa2   AU-2 Auditable Events\n  \xe2\x80\xa2   AU-6 Audit Monitoring, Analysis, and Reporting\n  \xe2\x80\xa2   AU-8 Time Stamps\n  \xe2\x80\xa2   AU-9 Protection of Audit Information\n  \xe2\x80\xa2   AU-11 Audit Record Retention\n  \xe2\x80\xa2   CM-6 Configuration Settings\n  \xe2\x80\xa2   CM-7 Least Functionality\n  \xe2\x80\xa2   IA-2 User Identification and Authentication\n  \xe2\x80\xa2   IA-3 Device Identification and Authentication\n  \xe2\x80\xa2   IA-5 Authenticator Management\n  \xe2\x80\xa2   PL-4 Rules of Behavior\n  \xe2\x80\xa2   SC-7 Boundary Protection\n  \xe2\x80\xa2   SC-18 Mobile Code\n  \xe2\x80\xa2   SI-2 Flaw Remediation\n  \xe2\x80\xa2   SI-3 Malicious Code Protection\n  \xe2\x80\xa2   SI-4 Information System Monitoring Tools and Techniques\n  \xe2\x80\xa2   SI-7 Software and Information Integrity\n\n\n\n\n                                       Page 42\n\x0c                                                   UNITED STATES DEPARTMENT OF COMMERCE\nAppendix C: BIS Response                           Under Secretary for Industry and Security\n                                                   Washington, D.C. 20230\n\n\n\n                                                         SEP: i\xc2\xb7 G&009\n\n\n  MEMORANDUM FOR ALLEN CRAWLEY\n                 Assistant Inspector General\n                  for Systems Acquisition and IT Security\n\n  FROM:                   Daniel O. Hill~\n                          Acting Under Secretary\n\n  SUBJECT:               Draft Inspection Report No. OSE-19575: FY2009 FISMA\n                         Assessment ofBureau Export Control Cyber Infrastructure,\n                         Version 2 (BECCI-2)\n\n\n  Thank you for the opportunity to comment on the above-referenced draft DIG Report.\n  The DIG FY 2009 FISMA Assessment ofBECCI-2 provides the BIS Office of the Chief\n  Information Officer (OCIO) with valuable information that will be incorporated into\n  system security planning, configuration management and monitoring. The findings and\n  recommendations from the draft DIG Inspection Report have been reviewed and BIS\n  does not dispute the findings.\n\n To ensure compliance moving forward, one of the OCIO\'s major objectives for FY 2010\n is a complete and approved C&A for all our systems, especially\n infrastructure. In anticipation of the full FY 2010 President\'s Request, the BIS OCIO has\n begun efforts to improve our C&A documentation, IT workforce skills and overall\n FISMA responsibilities.\n\n If you have any questions comments on our response, please contact Eddie Donnell, BIS\'\n Acting Chief Information Officer, at (202) 482-4296.\n\n\n\n\n cc: Suzanne Hilding,\n     Chief Information Officer\n\x0c'